Plataforma
java
Componente
org.opencastproject:opencast-user-interface-configuration
Corregido en
17.7.1
18.0.1
17.7
CVE-2025-55202 describes a Path Traversal vulnerability discovered in the OpenCast UI Configuration module. This vulnerability allows attackers, under specific conditions, to access files within adjacent directories sharing a common path prefix. Versions of OpenCast UI Configuration up to and including 9.9 are affected. A fix is available in version 17.7.
The vulnerability stems from insufficient path traversal protections within the UI configuration module. While full path traversal is not possible, an attacker can potentially gain access to files located in a directory that shares a prefix with the default UI configuration directory (e.g., /etc/opencast/ui-config and /etc/opencast/ui-config-hidden). This access is contingent on the target files being readable by the OpenCast process. The potential impact includes unauthorized access to sensitive configuration files or other data stored within those adjacent directories. This vulnerability does not allow arbitrary code execution.
This CVE was published on 2025-08-29. There is no indication of active exploitation or inclusion in the CISA KEV catalog at the time of writing. No public proof-of-concept exploits are currently known. The vulnerability's impact is limited, requiring specific directory structures and file permissions to be exploitable, which may reduce the likelihood of widespread exploitation.
Organizations deploying OpenCast for video management and streaming, particularly those using legacy configurations or shared hosting environments, are at risk. Systems with default directory structures and permissive file permissions are especially vulnerable.
• linux / server:
find /etc/opencast/ui-config/ -type f -perm -o -r -print0 | xargs -0 ls -l | grep -i 'ui-config-hidden'• java / server: Monitor OpenCast application logs for unusual file access attempts or errors related to path traversal. Look for patterns indicating attempts to access files outside the expected configuration directory. • generic web: Examine web server access logs for requests targeting the UI configuration endpoint with unusual path parameters. Look for attempts to manipulate the path to access files outside the intended directory.
disclosure
Estado del Exploit
EPSS
0.07% (21% percentil)
CISA SSVC
The primary mitigation for CVE-2025-55202 is to upgrade OpenCast UI Configuration to version 17.7 or later, which includes the necessary path traversal protections. If an immediate upgrade is not feasible, consider restricting file permissions on the UI configuration directory and its adjacent directories to prevent unauthorized access. Ensure that only the OpenCast process has read access to these files. Regularly review file permissions and access controls to maintain a secure configuration. After upgrade, confirm by attempting to access files outside the intended UI configuration directory via the UI and verifying access is denied.
Actualice Opencast a la versión 17.7 o superior, o a la versión 18.1 para solucionar la vulnerabilidad de recorrido de ruta. Como medida temporal, revise la configuración de la interfaz de usuario y asegúrese de que no haya carpetas que comiencen con la misma ruta que la carpeta ui-config.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-55202 is a Path Traversal vulnerability affecting OpenCast UI Configuration versions up to 9.9, allowing potential access to files in adjacent directories under specific conditions.
You are affected if you are using OpenCast UI Configuration version 9.9 or earlier. Upgrade to version 17.7 to mitigate the vulnerability.
Upgrade OpenCast UI Configuration to version 17.7 or later. As a temporary workaround, restrict file permissions on the UI configuration directory and its adjacent directories.
There is currently no evidence of active exploitation of CVE-2025-55202, and no public proof-of-concept exploits are known.
Refer to the OpenCast project's security advisories and release notes for details on CVE-2025-55202 and the corresponding fix: [https://opencastproject.org/security/](https://opencastproject.org/security/)
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo pom.xml y te decimos al instante si estás afectado.